As Atlanta Recovers From Ransomware Attack, Georgia Looks to Boost Cyber Collaboration

Local officials in Atlanta haven't asked for the Georgia Technology Authority’s help since City Hall was hit with a ransomware attack on March 22, but the state’s Cybersecurity Workforce Academy could assist local governments in avoiding similar crises in the future.

The city had until March 28 to transfer 6 bitcoins, worth about $51,000, to a bitcoin wallet disabled days before the deadline—lest the hackers encrypting some government systems delete the data they had access to.

Critical emergency response and airport systems remained online immediately after the attack, while municipal court, business licensing and utility payment services went down. Atlanta continues to restore services, but the situation remains unresolved.

“We’ve been monitoring the situation since the story broke,” GTA Security Architect Walter Tong told Route Fifty by phone Thursday. “If they were to ask for our assistance, we would be glad to do so.”

That Atlanta’s incident response team hasn’t reached out isn’t necessarily alarming considering the Department of Homeland Security, FBI, Secret Service, and tech companies like Microsoft and SecureWorks are already involved.

Plus, a city’s cyber insurance often dictates next steps concerning forensic, recovery and equipment replacement services, Tong said.

“It's doubtful the state could have prevented this attack, since the attack had a specific target, in this case the city,” Area 1 Security CEO Oren Falkowitz told Route Fifty in an email. “It can absolutely happen at the state level, and unless there is some change in their cybersecurity posture, unfortunately, it will.”

GTA hasn’t re-evaluated its IT protocols or workforce needs in the aftermath of the Atlanta attack because its “processes and procedures are fairly solid,” Tong said. The state receives notifications and alerts from the Multi-State Information Sharing & Analysis Center, or MS-ISAC, to maintain situational awareness.

MS-ISAC further shares remediation procedures and processes state and local governments can use to prevent ransomware from spreading. Cities like Atlanta need preemptive cyber measures that stop preliminary phishing attacks, Falkowitz said.

Georgia instituted a user awareness training program to that end, to the point where GTA will call the originator of an email with questionable links or attachments like GIFs. Employees started out attending cyber training every two months and now every quarter, and a learning management system tracks who passes the final exam, how many questions they get right and who skips the exercise—notifying their managers.

A $100 million state Cyber Center is under construction in Augusta, and the Georgia Cybersecurity Workforce Academy will eventually operate out of the facility. The academy primarily trains state agency information security officers, but courses will eventually be opened up to local government organizations with 24/7 online instruction available.

Certificates of completion are issued by the state chief information officer, and the academy will also partner with Georgia’s academic institutions to train students for the local, skilled workforce.

“It’s not a matter of if but when,” Tong said. “Hold cyber exercises to your incident response plan, and stay situationally aware of what’s going on internally and externally with your network.”

States and cities are responsible for digital infrastructure that operates core resident services like public transit, Falkowitz said, and cyber awareness must include citizens—providing them with the tools they need to secure their data and safely conduct commerce online.

“States have their own systems to secure, as well, but there needs to be more collaboration between the two entities, and the federal government as well,” Falkowitz said. “Local, city and state governments need to take a more holistic view and understand that they're all targets.”